Secure Programming
RE: Java keystore password storage Apr 25 2005 05:52PM
Michael Howard (mikehow microsoft com) (1 replies)
Oh this thorny issue again!

On Windows you can call into the Data Protection API (CryptProtectData
etc), which uses keys derived from the user's password to protect secret
data like this, or uses a machine key if you want to lock the key down
to the machine. Mac OSX offers a similar technology called Keychain
(SecKeychainAddGenericPassword etc), but these are of course OS specific

I know of no other way that works solely with Java on all platforms...

[Writing Secure Code]
[Protect Your PC]

-----Original Message-----
From: john bart [mailto:sysadmin256 (at) hotmail (dot) com [email concealed]]
Sent: Monday, April 25, 2005 12:56 AM
To: (at) news2mail (dot) com [email concealed]; SC-L (at) securecoding (dot) org [email concealed];
secprog (at) securityfocus (dot) com [email concealed]; vuln-dev (at) securityfocus (dot) com [email concealed];
webappsec (at) securityfocus (dot) com [email concealed]
Subject: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the
possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the
encryption key)

Any ideas?

Express yourself instantly with MSN Messenger! Download today it's FREE!

[ reply ]
Re: Java keystore password storage Apr 25 2005 06:54PM
black love (black love83 gmail com)


Privacy Statement
Copyright 2010, SecurityFocus